CVE-2024-37821Code Injection in ERP CRM

CWE-94Code InjectionCWE-434Unrestricted File Upload4 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 53.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Dolibarr ERP CRMDolibarr
Timeline
PublishedJun 18

Description

An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

Packagistdolibarr/dolibarr< 19.0.2

🔴Vulnerability Details

3
GHSA
Dolibarr arbitrary file upload vulnerability2024-06-18
OSV
Dolibarr arbitrary file upload vulnerability2024-06-18
CVEList
CVE-2024-37821: An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v192024-06-18
CVE-2024-37821 — Code Injection in Dolibarr ERP CRM | cvebase